We carry out a DPIA to identify the risks to individuals, show how we are going to deal with them and what measures we have in place to meet GDPR requirements.

We carry out processing under Article 22(1) for contractual purposes and we can demonstrate why it’s necessary.

OR

We carry out processing under Article 22(1) because we have the individual’s explicit consent recorded. We can show when and how we obtained consent. We tell individuals how they can withdraw consent and have a simple way for them to do this.

OR

We carry out processing under Article 22(1) because we are authorised or required to do so. This is the most appropriate way to achieve our aims.

We don’t use special category data in our automated decision-making systems unless we have a lawful basis to do so, and we can demonstrate what that basis is. We delete any special category data accidentally created.

We explain that we use automated decision-making processes, including profiling. We explain what information we use, why we use it and what the effects might be.

We have a simple way for people to ask us to reconsider an automated decision.

We have identified staff in our organisation who are authorised to carry out reviews and change decisions.

We regularly check our systems for accuracy and bias and feed any changes back into the design process.

As a model of best practice…

We use visuals to explain what information we collect/use and why this is relevant to the process.

We have signed up to [standard] a set of ethical principles to build trust with our customers. This is available on our website and on paper.

Automated individual decision-making is a decision made by automated means without any human involvement.

Examples of this include:

an online decision to award a loan; and

a recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, although it often will do.

The GDPR says that profiling is:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

[Article 4(4)]

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.

Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. There is more information about algorithms and machine-learning in ICO’s paper on big data, artificial intelligence, machine learning and data protection.

Based on the traits of others who appear similar, organisations use profiling to:

find something out about individuals’ preferences;

predict their behaviour; and/or

make decisions about them.

This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The GDPR provisions are designed to address these risks.

The GDPR restricts you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

[Article 22(1)]

For something to be solely automated there must be no human involvement in the decision-making process.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

Because this type of processing is considered to be high-risk the GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.

As well as restricting the circumstances in which you can carry out solely automated individual decision-making (as described in Article 22(1)) the GDPR also:

requires you to give individuals specific information about the processing;

obliges you to take steps to prevent errors, bias and discrimination; and

gives individuals rights to challenge and request a review of the decision.

These provisions are designed to increase individuals’ understanding of how you might be using their personal data.

You must:

provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;

use appropriate mathematical or statistical procedures;

ensure that individuals can:

obtain human intervention;

express their point of view; and

obtain an explanation of the decision and challenge it;

put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors;

secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: